Tufin SecureTrack API

openapi: 3.1.0
info:
  title: Tufin SecureTrack REST API
  description: >-
    The Tufin SecureTrack REST API enables programmatic access to network security
    policy management across multi-vendor firewall infrastructure. It provides endpoints
    for querying network devices, analyzing firewall rules and policies, performing network
    topology analysis, executing path queries, managing rule documentation, and retrieving
    compliance and risk analysis data. Authentication uses HTTP Basic Auth with Tufin
    Orchestration Suite (TOS) credentials.
  version: R25-2
  contact:
    name: Tufin Support
    url: https://www.tufin.com/support
  license:
    name: Tufin Terms of Use
    url: https://www.tufin.com/terms-of-use
externalDocs:
  description: Tufin SecureTrack REST API Documentation
  url: https://forum.tufin.com/support/kc/latest/Content/Suite/RESTAPI/securetrack_api.htm
servers:
  - url: https://{tos_host}/securetrack/api
    description: Tufin Orchestration Suite Server
    variables:
      tos_host:
        description: Hostname or IP address of the TOS server
        default: tufin.example.com
tags:
  - name: Devices
    description: Manage network devices and firewalls
  - name: Rules
    description: Query and manage firewall rules and policies
  - name: Topology
    description: Network topology analysis and path queries
  - name: Objects
    description: Network objects, services, and address groups
  - name: Compliance
    description: Policy compliance and risk analysis
  - name: Revisions
    description: Device policy revisions and change history
  - name: Zones
    description: Security zones and zone-to-zone matrix
paths:
  /devices:
    get:
      operationId: getDevices
      summary: Get All Devices
      description: >-
        Retrieve all network devices (firewalls, routers) managed by SecureTrack,
        optionally filtered by name, vendor, or management status.
      tags:
        - Devices
      security:
        - basicAuth: []
      parameters:
        - name: name
          in: query
          description: Filter by device name (partial match)
          schema:
            type: string
        - name: vendor
          in: query
          description: Filter by vendor (e.g., Cisco, Palo Alto, Check Point)
          schema:
            type: string
        - name: type
          in: query
          description: Filter by device type
          schema:
            type: string
        - name: status
          in: query
          description: Filter by management status
          schema:
            type: string
      responses:
        '200':
          description: List of devices
          content:
            application/json:
              schema:
                type: object
                properties:
                  devices:
                    type: object
                    properties:
                      count:
                        type: integer
                      device:
                        type: array
                        items:
                          $ref: '#/components/schemas/Device'
        '401':
          description: Unauthorized
  /devices/{deviceId}:
    get:
      operationId: getDeviceById
      summary: Get Device By ID
      description: Retrieve a specific network device by its identifier.
      tags:
        - Devices
      security:
        - basicAuth: []
      parameters:
        - name: deviceId
          in: path
          required: true
          description: The unique identifier of the device
          schema:
            type: integer
      responses:
        '200':
          description: Device details
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Device'
        '404':
          description: Device not found
    put:
      operationId: updateDevice
      summary: Update Device
      description: Update an offline device's configuration.
      tags:
        - Devices
      security:
        - basicAuth: []
      parameters:
        - name: deviceId
          in: path
          required: true
          description: The unique identifier of the device
          schema:
            type: integer
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/DeviceInput'
      responses:
        '200':
          description: Device updated
  /devices/{deviceId}/revisions:
    get:
      operationId: getDeviceRevisions
      summary: Get Device Revisions
      description: Retrieve the list of policy revisions for a device.
      tags:
        - Devices
        - Revisions
      security:
        - basicAuth: []
      parameters:
        - name: deviceId
          in: path
          required: true
          description: The unique identifier of the device
          schema:
            type: integer
      responses:
        '200':
          description: List of revisions
          content:
            application/json:
              schema:
                type: object
                properties:
                  revisions:
                    type: object
                    properties:
                      revision:
                        type: array
                        items:
                          $ref: '#/components/schemas/Revision'
  /devices/{deviceId}/rules:
    get:
      operationId: getRulesByDevice
      summary: Get Rules By Device
      description: Retrieve all firewall rules for a specific device.
      tags:
        - Devices
        - Rules
      security:
        - basicAuth: []
      parameters:
        - name: deviceId
          in: path
          required: true
          description: The unique identifier of the device
          schema:
            type: integer
        - name: policy
          in: query
          description: Filter by policy name
          schema:
            type: string
      responses:
        '200':
          description: List of rules
          content:
            application/json:
              schema:
                type: object
                properties:
                  rules:
                    type: object
                    properties:
                      count:
                        type: integer
                      rule:
                        type: array
                        items:
                          $ref: '#/components/schemas/Rule'
  /devices/{deviceId}/rules/{ruleId}:
    get:
      operationId: getRuleByDeviceAndId
      summary: Get Rule By Device and ID
      description: Retrieve a specific firewall rule by device and rule ID.
      tags:
        - Devices
        - Rules
      security:
        - basicAuth: []
      parameters:
        - name: deviceId
          in: path
          required: true
          description: The unique identifier of the device
          schema:
            type: integer
        - name: ruleId
          in: path
          required: true
          description: The unique identifier of the rule
          schema:
            type: integer
      responses:
        '200':
          description: Rule details
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Rule'
        '404':
          description: Rule not found
  /devices/offline:
    post:
      operationId: addOfflineDevice
      summary: Add Offline Device
      description: Add an offline device to SecureTrack management.
      tags:
        - Devices
      security:
        - basicAuth: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/DeviceInput'
      responses:
        '200':
          description: Offline device added
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Device'
  /topology/path:
    get:
      operationId: getTopologyPath
      summary: Get Network Path
      description: >-
        Query the network topology to determine whether traffic is permitted between
        source and destination endpoints, and which devices are traversed.
      tags:
        - Topology
      security:
        - basicAuth: []
      parameters:
        - name: src
          in: query
          required: true
          description: Source IP address or CIDR range
          schema:
            type: string
        - name: dst
          in: query
          required: true
          description: Destination IP address or CIDR range
          schema:
            type: string
        - name: service
          in: query
          description: Service (protocol/port, e.g., tcp/443)
          schema:
            type: string
      responses:
        '200':
          description: Path analysis result
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/TopologyPath'
  /topology/path/image:
    get:
      operationId: getTopologyPathImage
      summary: Get Topology Path Image
      description: Export a visualization of the network path as a PNG image.
      tags:
        - Topology
      security:
        - basicAuth: []
      parameters:
        - name: src
          in: query
          required: true
          description: Source IP address or CIDR range
          schema:
            type: string
        - name: dst
          in: query
          required: true
          description: Destination IP address or CIDR range
          schema:
            type: string
      responses:
        '200':
          description: Path topology image
          content:
            image/png:
              schema:
                type: string
                format: binary
  /topology/map:
    get:
      operationId: getTopologyMap
      summary: Get Topology Map
      description: Retrieve the full network topology map.
      tags:
        - Topology
      security:
        - basicAuth: []
      responses:
        '200':
          description: Topology map data
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/TopologyMap'
  /network_objects:
    get:
      operationId: getNetworkObjects
      summary: Get Network Objects
      description: Search for network objects (hosts, ranges, groups) across all managed devices.
      tags:
        - Objects
      security:
        - basicAuth: []
      parameters:
        - name: name
          in: query
          description: Filter by object name
          schema:
            type: string
        - name: ip
          in: query
          description: Filter by IP address
          schema:
            type: string
        - name: type
          in: query
          description: Filter by object type (host, range, group)
          schema:
            type: string
      responses:
        '200':
          description: List of network objects
          content:
            application/json:
              schema:
                type: object
                properties:
                  network_objects:
                    type: object
                    properties:
                      count:
                        type: integer
                      network_object:
                        type: array
                        items:
                          $ref: '#/components/schemas/NetworkObject'
  /services:
    get:
      operationId: getServices
      summary: Get Services
      description: Search for service objects (protocols and ports) across all managed devices.
      tags:
        - Objects
      security:
        - basicAuth: []
      parameters:
        - name: name
          in: query
          description: Filter by service name
          schema:
            type: string
        - name: port
          in: query
          description: Filter by port number
          schema:
            type: string
      responses:
        '200':
          description: List of services
          content:
            application/json:
              schema:
                type: object
                properties:
                  services:
                    type: object
                    properties:
                      service:
                        type: array
                        items:
                          $ref: '#/components/schemas/Service'
  /zones:
    get:
      operationId: getZones
      summary: Get Security Zones
      description: Retrieve all security zones defined across managed devices.
      tags:
        - Zones
      security:
        - basicAuth: []
      responses:
        '200':
          description: List of security zones
          content:
            application/json:
              schema:
                type: object
                properties:
                  zones:
                    type: object
                    properties:
                      zone:
                        type: array
                        items:
                          $ref: '#/components/schemas/Zone'
  /risk:
    get:
      operationId: getRiskAnalysis
      summary: Get Risk Analysis
      description: Retrieve risk analysis findings including policy violations and cleanup tasks.
      tags:
        - Compliance
      security:
        - basicAuth: []
      parameters:
        - name: device_id
          in: query
          description: Filter by device ID
          schema:
            type: integer
      responses:
        '200':
          description: Risk analysis results
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/RiskFinding'
components:
  securitySchemes:
    basicAuth:
      type: http
      scheme: basic
      description: >-
        HTTP Basic Authentication using Tufin Orchestration Suite credentials.
        The authenticated user's TOS permissions apply to all API requests.
  schemas:
    Device:
      type: object
      description: A network device managed by SecureTrack
      properties:
        id:
          type: integer
          description: Unique identifier of the device
        name:
          type: string
          description: Display name of the device
        ip:
          type: string
          description: Management IP address
        vendor:
          type: string
          description: Device vendor (e.g., Cisco, Palo Alto Networks, Check Point)
        model:
          type: string
          description: Device model
        version:
          type: string
          description: Software version
        domain:
          type: string
          description: Management domain
        topology:
          type: boolean
          description: Whether this device participates in topology analysis
        managedBy:
          type: string
          description: Management system (e.g., Panorama, SmartCenter)
    DeviceInput:
      type: object
      description: Input for adding or updating a device
      required:
        - vendor
        - model
        - name
      properties:
        vendor:
          type: string
          description: Device vendor
        model:
          type: string
          description: Device model
        name:
          type: string
          description: Device display name
        ip:
          type: string
          description: Management IP address
    Revision:
      type: object
      description: A policy revision for a device
      properties:
        id:
          type: integer
          description: Revision identifier
        device_id:
          type: integer
          description: Device this revision belongs to
        date:
          type: string
          format: date-time
          description: When this revision was recorded
        description:
          type: string
          description: Description of changes in this revision
    Rule:
      type: object
      description: A firewall rule on a network device
      properties:
        id:
          type: integer
          description: Rule identifier
        name:
          type: string
          description: Rule name
        enabled:
          type: boolean
          description: Whether the rule is enabled
        action:
          type: string
          description: Rule action (ACCEPT, DROP, REJECT)
          enum:
            - ACCEPT
            - DROP
            - REJECT
        sources:
          type: array
          items:
            $ref: '#/components/schemas/NetworkObject'
          description: Source network objects
        destinations:
          type: array
          items:
            $ref: '#/components/schemas/NetworkObject'
          description: Destination network objects
        services:
          type: array
          items:
            $ref: '#/components/schemas/Service'
          description: Services this rule applies to
        comment:
          type: string
          description: Rule comment or documentation
        lastHit:
          type: string
          format: date-time
          description: Last time this rule was matched
    TopologyPath:
      type: object
      description: Result of a network topology path query
      properties:
        traffic_allowed:
          type: boolean
          description: Whether traffic is allowed between source and destination
        is_fully_routed:
          type: boolean
          description: Whether a complete routed path exists
        device_info:
          type: array
          items:
            type: object
            properties:
              name:
                type: string
                description: Device name
              id:
                type: integer
                description: Device ID
          description: Devices traversed in the path
    TopologyMap:
      type: object
      description: Network topology map data
      properties:
        nodes:
          type: array
          items:
            type: object
          description: Topology nodes (devices, subnets)
        edges:
          type: array
          items:
            type: object
          description: Topology connections between nodes
    NetworkObject:
      type: object
      description: A network object (host, range, or group)
      properties:
        id:
          type: integer
          description: Object identifier
        name:
          type: string
          description: Object name
        type:
          type: string
          description: Object type (host, range, group)
        ip:
          type: string
          description: IP address or range
        netmask:
          type: string
          description: Network mask
    Service:
      type: object
      description: A service object (protocol/port combination)
      properties:
        id:
          type: integer
          description: Service identifier
        name:
          type: string
          description: Service name
        protocol:
          type: string
          description: Protocol (TCP, UDP, ICMP)
        port:
          type: string
          description: Port number or range
    Zone:
      type: object
      description: A security zone
      properties:
        id:
          type: integer
          description: Zone identifier
        name:
          type: string
          description: Zone name
        comment:
          type: string
          description: Zone description
        subnets:
          type: array
          items:
            type: string
          description: IP subnets belonging to this zone
    RiskFinding:
      type: object
      description: A risk analysis finding
      properties:
        rule_id:
          type: integer
          description: Rule identifier with the finding
        device_id:
          type: integer
          description: Device with the finding
        risk_type:
          type: string
          description: Type of risk (violation, unused_rule, shadowed_rule)
        severity:
          type: string
          description: Risk severity level
        description:
          type: string
          description: Description of the risk finding